Which Bank?
Australian readers will quickly note the irony in the title, but more on Which Bank? later. As reporting continues on cases of identity data loss and theft, countries other than the US are starting to have wider reporting of cases within their borders. A potential breach of thousands of student identities and privacy records at the Canterbury University in New Zealand was made public last week. It was not disclosed how long the exploit window had been open for, but it could not have come at a worse time for the university, with a rush of students registering and interacting with their details before the start of the new academic year. Although a valid ID is initially required to gain access to the system, once a user has access they have the ability to view and edit records on any student registered at the University. And investigation is ongoing and it has not been made public when the system is expected back online, if ever.
Which Bank? (the Commonwealth Bank), the St. George Bank and telecommunications company Optus were affected by an embarrassing privacy incident initially reported on Valentine's Day. From the media reports, thousands of account statements affecting thousands of customers, including private account holder data, were spread along the side of a busy Sydney road (Hume Highway at Warwick Farm) after they apparently were lost from a load of waste that was being shipped for destruction by an unnamed company. The documents originated from Salmat, a company contracted by the affected companies to produce and distribute account statements, and it is not known why the statements had not been better handled. This breach appears similar to the one which affected a number of US newspapers when credit card and cheque account details of subscribers was used to bundle papers for distribution.
Even the big contracting agencies can't stop themselves from losing privacy related information. Deloitte & Touche USA recently disclosed that they had lost a CD containing information on thousands of current and former McAfee employees. The loss was assumed to have taken place on December 15, with McAfee being notified on January 11. More worryingly, it was not until January 30 that they were made aware of what information was suspected of being on the disk. The disk contained personal information for all current US and Canadian employees, along with 6,000 workers previously employed by the company in North America. It was reported that the information was unencrypted and could possibly contain details on names, social security numbers and stock holdings in the company. Later reporting suggested that the CD was left in the pocket of an airline seat.
Ernst & Young weren't able to escape the recent spate of information disclosures, with news being reported of the disclosure of information relating to high profile customers. The information was contained on a laptop that was stolen from the parked car of an employee, and included information on the CEO of Sun Microsystems (Scott McNealy), amongst others. The data included such staples as the Social Security Number. Ernst & Young had not publicly admitted to the loss until it was contacted by The Register. While it is reported that the system was password protected, the total number of people exposed by the breach is not known. The link to Scott McNealy came at the recent RSA conference where he admitted that the same organisation being used by Sun to maintain Sarbanes-Oxley compliance (SOX) notified them of a loss of confidential data. The irony of the case was pointed out by The Register in that Ernst & Young have been pushing heavily on transparency of reporting and monitoring for their customers, but have failed to achieve the same themselves (just another case for those who argue companies should eat their own dog food). It has not been determined whether various laws such as SB 1386 have been violated.
Another case of unintentional irony came to light recently, when it was made public that tax company, H & R Block, was itself forced to reissue its statements after discovering that it had miscalculated its own taxes by $32 million USD. Although corporate tax assessment is different from individual tax, the news is expected to be an embarrassment for the company.
Breaches of information require a data source, and one of the largest and most interesting-sounding databases has been confirmed to exist. While it is more confirmation of something that many would have expected, the numbers are still quite staggering. What it is, is a database of 1.92 trillion telephone call details stretching back decades, collated and held by US telco AT & T. While access to the database is extremely limited, the public confirmation of its existence has added another "must have" to the illegal data trade.
One of the less-considered side effects of capitalism is that companies aim to compete their way to a monopoly. With Internet search engines there are many different competing companies that offer similar services, but the market has gravitated to a small number of major market share holders (Google, Yahoo! and MSN), with Google and Yahoo! responsible for more than two-thirds of all searches (searchenginewatch.com July 2005 figures for US searches). With Internet users relying upon these companies to find resources online, websites are always trying to improve their positioning in returned search results. Sometimes, the methods used in these attempts cross the line of what the search engines consider acceptable, and corrective action follows.
In recent months, the German BMW website (bmw.de) was delisted (removed from search results) from Google for the use of 'doorway' pages. Doorway pages are specifically set up to only appear to website crawlers (which the search engines use) and not for human visitors. This relies upon the site developers filtering the display of the site based on what User-Agent is making the request, or what IP the request is coming from as the major search engines index sites from a fairly well known set of IP addresses. This has the effect of the search engines adding pages to their indexes which users can not view - instead they are directed to other content. Due to the misuse of this procedure by spammers and unethical users, the procedure is frowned upon by Google, thus the eventual delisting. Camera manufacturer was expected to face the same fate, for similar activities. The sites have since been reinstated to the Google index.
What should be taken away from this is an understanding that when there are only a couple of primary sources of information, it results in undue levels of trust and faith being placed on those sources. If the availability of information through those sources can be modified through malicious activity, abuse, or unintentional behaviour, then it can leave innocent victims suffering. It also places a social obligation on the information archives to be even-handed in the handling of that information. This is the cornerstone of one of the arguments against Google and Yahoo!'s recent behaviour in establishing search sites in countries like China, where results are prefiltered / censored to comply with National law. The level of argument in this case could suggest that there is a perceived threat from China, as similar actions in France and Germany (limiting of information sources on Nazism), Iran and several African nations (firewall at national border) have not attracted the same level of attention.
A case where the search engines have been accused of abusing their power, by arbitrarily delisting a site is seen with spacewar.com. The military-watching site was recently delisted for unspecified reasons, but later reinstated after numerous complaints were lodged by loyal site visitors. A press release issued by Spacewar drew links between the recent censoring activities in China and the delisting of their site, alluding to a political motivation behind the delisting. While a lot of the claims sound like they are based on paranoia, it doesn't mean that they aren't valid. Again, the site has since been reinstated to the search engine, once again appearing in relevant results.
Apple's security woes from the last couple of weeks (proof-of-concept worm releases) continued with the public release of a fairly high risk vulnerability which could lead to remote compromise of an OS X system in its default configuration. Driven from a variation in how the system and some applications handle the 'meta-data' associated with some files, the proof of concept showed a zip archive which automatically launched the disguised system script within it. The greatest risk was associated with the use of Safari, with the 'open safe files' option selected in the application preferences (enabled by default). Exploitation through other avenues appeared to require at least some level of interaction with the archive and obfuscated files. The file obfuscation used a series of tricks available for file handling in OS X to trick victims into believing the files were legitimate. This included changing the file icon and meta-data to disguise the fact that it was not as it claimed.
This high level of coverage of OS X worms and vulnerabilities led some observers to compare the difference in handling and reporting for OS X and Windows vulnerabilities. While the vulnerabilities are real, and the latest one is serious, it is only as serious as many of the current worms that are threatening Windows users through their email inboxes and sites that they visit. The latest variant of Windows worms do not generate global press like the discovery of an OS X worm does. The security of OS X has not changed all that much, although some media outlets might like to report otherwise.
27 February 2006
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.